Are security fears running ahead of reality?

Such accusations have become almost routine in the wake of high-profile privacy gaffes by RealNetworks last fall and more recently by Internet advertising firm DoubleClick. But the latest incident, which involved online advertising software firm Aureate, shows how fears of abuse may be in danger of running ahead of reality.

"There's a lot of concern, no question," said Richard Smith, a Massachusetts-based Internet consultant who has tested Aureate's software. Nevertheless, he said, "There seems to be more fear than anything else."

Over the weekend, Smith inspected the software and concluded that the company was forthcoming about its intentions. But Aureate's reputation may already have been tarnished given the speed with which its accusers descended. The situation shows just how raw the privacy nerve has become.

Concerns about Aureate's technology spread late last week after Dale Haag, a forensic expert with Seabrook, Texas-based security consulting firm Net Defender, sent his findings to a mailing list for lawyers.

Haag said his conclusions were based on a preliminary investigation and were not intended for widespread publication. Still, news of his report got out, and in no time angry emails were flying around the Net.

In at least one case, charges escalated to an allegation that Aureate had stolen data from a computer.

Haag said he has found no such evidence.

"The capabilities are there to gather anything they want off the system," he said. "It could be passwords, confidential files, anything. I'm not saying they're doing that. I haven't found any evidence that they are."

Kyle Bennett, a Webmaster in Dallas, Texas, who posted Haag's findings on his site, said the reaction to the report was not unwarranted.

"Nobody likes being spied on when they're not supposed to be spied on," he said. "Maybe there's a lot of hype and hysteria about this, but in a way there probably should be. Sometimes the easiest way to get something recognized is by stirring the pot."

Aureate quickly tried to diffuse the fast-spreading lynch mob mentality of privacy vigilantes by posting on its Web site a detailed account of how its software works. Executives also sent email to roughly 50 people who contacted them.

"There's a lot of confusion about what we can do and what we are doing," said Peter Fuller, Aureate's director of communications. "There's a lot of hysteria going on; people are afraid, and those fears aren't grounded in much fact."

Haag acknowledged that his findings were, in some cases, grossly misconstrued. But he still maintains that Aureate's software can theoretically collect Internet Protocol addresses, or identification numbers, and other data from a computer even if a customer doesn't agree to give up personal information.

He also claims that Aureate impinges on a person's privacy by failing to disclose that the software runs continuously even after the bundling programs have been removed.

Smith verified that an individual can't get rid of the advertising software once it has been installed, but he considered the feature more of a nuisance--a system reliability concern rather than a privacy breach.

"I don't particularly like that feature," Smith said today. "But overall, the software is much better than what I've seen from other companies. It's clean."

Targeted ads vs. anonymity
Privacy awareness has peaked in the past month following widespread criticism of online advertising heavyweight DoubleClick. Controversy erupted when the 3-year-old New York firm revealed a plan to track consumers' movements online and to attach that data to people's real names and addresses.

DoubleClick is now the subject of three state and federal investigations and several private lawsuits, some of which have gained class-action status.

The incident underscores a prevailing problem for marketers seeking demographic information on individuals to better target advertisements.

Although some consumers may not be fully aware of how tracking and targeting programs work, a mere hint of the practice is enough to trigger an Orwellian suspicion that their every move is being watched.

Online marketers, on the other hand, see value in sending banner advertisements tailored to an individual's preference. The greater the interest, the more likely a person will click on the ad.

But how advertisers go about culling personal information to determine that preference is what has consumers up in arms.

According to Aureate, consumers must give their consent before information about them can be recorded. This method is called "opting in" to the program.

The way it works is this: Aureate's banner ad technology is bundled with nearly 400 software applications--including popular file transfer software CuteFTP--that can be downloaded for free off the Web.

Banner advertisements pay for the free software, Aureate's Fuller said.

The more targeted the advertisement, the more click-throughs, which in turn spell more returns for Aureate. If a person doesn't want to give up personal information--like gender, salary or hobbies--then random ads are delivered, Fuller said.

The policies are clearly stated on Aureate's and CuteFTP's Web sites.

"We don't collect data unless they give it to us," Fuller said. "We don't collect people's names or addresses, and we don't track what they're seeing online."

Privacy watchdog groups like the Electronic Privacy Information Center (EPIC) prefer a permission-based tracking model that doesn't seek a person's name and address.

"Anonymity is the right model," said Marc Rotenberg, EPIC's executive director, who said that he is unfamiliar with Aureate's and CuteFTP's situations. "In advertising there is no need to collect a name and address--nothing is being shipped or sold. And opting in is the preferred approach."

Bennett, the Texas Webmaster, said the controversy demonstrates that companies need to do a better job quelling the public's fears about privacy.

"I don't think there's anything wrong with targeted banner advertisements," he said. "But there needs to be more information. A person should know what's happening to information about them and what's going on with the software in their computers."